- I switched to a $129 Android phone for a week, and it was surprisingly capable
- This window-cleaning robot is surprisingly impressive and $100 off for a limited time
- Try Apple's new Invites app for planning your next event - here's how it works
- The best Alexa smart speaker I've tested isn't an Echo (and it's 20% off)
- ChatGPT in WhatsApp just got an update that'll make you actually want to text it
Threefold Increase in Malware Targeting Credential Stores
Infostealers continued to grow in popularity on the cybercrime underground last year, with credentials from password stores appearing in 29% of malware samples analyzed by Picus Security.
The security vendor’s Red Report 2025 examined over one million malware samples and mapped more than 14 million malicious actions and 11 million instances of MITRE ATT&CK techniques, in order to better illuminate the threat landscape.
It revealed a three-fold increase in the share of malware strains targeting credential stores – reflecting the growing market for compromised logins.
“A growing trend in credential theft targets password managers, browser-stored credentials, and cached login data to gain lateral movement and afford attackers elevated privileges to sensitive systems,” the report noted. “Those stolen credentials are later used for lateral movement and privilege escalation, allowing attackers to broaden their reach within the environments they’ve compromised.”
Read more on infostealers: New Infostealer Campaign Uses Discord Videogame Lure
Credentials stolen via infostealers were used in the Snowflake campaign last year which resulted in the compromise of hundreds of millions of victims.
Among the other trends Picus Security revealed are:
- Techniques for stealth and evasion: Process injection was observed in 31% of analyzed samples. Code injected into a legitimate process evades detection in many security solutions, Picus Security claimed. It also recorded the “Command and Scripting Interpreter” technique, which enables attackers to use hard-to-detect native tools, such as PowerShell and Bash. Threat actors are also more likely to use encrypted channels like HTTPS and DNS over HTTPS (DoH) for exfiltration or command-and-control (C2) communication, bypassing monitoring tools.
- Real-time data theft: Attackers used “Input Capture” and “System Information Discovery” to accelerate data theft in real-time. For example, infostealers used keyloggers, screen capture utility and audio interceptors.
- Persistence: “Boot or Logon Autostart Execution” is an increasingly popular method for malware to survive system reboots and removal attempts.
- Sophistication: A typical piece of malware now performs an average of 14 malicious actions and 12 ATT&CK techniques per sample, indicating the growing maturity of the market and supporting “multi-stage, structurally complex” attacks.
“Threat actors are leveraging sophisticated extraction methods, including memory scraping, registry harvesting and compromising local and cloud-based password stores, to obtain credentials that give attackers the keys to the kingdom,” said Picus Security co-founder and VP of Picus Labs, Suleyman Ozarslan.
“It’s vital that password managers are used in tandem with multi-factor authentication, and that employees never reuse a password, especially for their password manager.”
“Attackers’ ability to tailor their tactics to their surroundings speaks to a move toward precision-centric campaigns that work to create maximum destruction with minimum exposure,” the report noted.
